Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 31 and April 7. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for March 31 to April 7

Be prepared to discuss difficult topics with potential new third-party software vendors, such as incident notification requirements, access to logs during a security incident and who the important emergency contacts are.

Thursday, April 6, 2023 14:04

Welcome to this week’s edition of the Threat Source newsletter.

It seems like we can’t go a full calendar year without a major supply chain attack. In late 2020 we had the SolarWinds incident (which, doesn’t that somehow seem like five years ago but also yesterday?), then the REvil ransomware group infiltrating the Kaseya VSA software in the summer of 2021 and last week we had another attack targeting the 3CX Desktop Softphone application.

For now, the adversaries behind the 3CX supply chain attack seem mainly focused on infiltrating cryptocurrency-related companies and exchanges to steal money. But we’ve still yet to see the full scale of this attack — the 3CX website claims to have over 600,000 customers and 12 million daily users. In the company’s latest update on the security incident, 3CX said the “incident was carried out by a highly experienced and knowledgeable hacker.”

So even though we’ve been talking about the importance of defending against supply chain attacks for three years now, I felt like this was a good place to round up all the information Talos has available on preparing for and preventing supply chain attacks. Here are a few tips with some handy links:

*   If your organization is specifically affected by the 3CX supply chain attack, Cisco Secure and Talos have a range of detection available across the Cisco portfolio. 3CX also has instructions for uninstalling the affected desktop application on its website.
*   Be prepared to discuss difficult topics with potential new third-party software vendors, such as incident notification requirements, access to logs during a security incident and who the important emergency contacts are. Talos Incident Response has a full list of these questions in this blog.
*   Take an inventory of the SaaS applications your organization uses and document their business use case and relevant access authorizations. Nick Biasini and I talk about the importance of asset management in this episode of Talos Takes right after the SolarWinds incident.
*   Implement a zero-trust approach to security so that your organization verifies every access attempt. This also means only assigning the appropriate rights to each user on a network that they need to do their job.
*   Create an incident response plan and/or playbook so your organization is ready to respond in the event of a supply chain attack. Cisco Talos Incident Response can help with that.

**The one big thing**

The developer of the Typhon Reborn information stealer recently released an updated version (V2) that includes significant updates to its codebase and improved capabilities. Most notably, the new version features additional anti-analysis and anti-virtual machine (VM) capabilities to evade detection and make analysis more difficult.

**Why do I care?**

Once on an infected machine, the stealer can harvest and exfiltrate sensitive information and uses the Telegram API to send stolen data to attackers. This can include highly sensitive data, such as login information to cryptocurrency wallets and exchanges, VPN clients and email and messaging clients. The latest version of the stealer is available on dark web forums for a relatively low price in comparison to other information stealers, so Talos researchers suspect this malware will pop up in cyber attacks going forward.

**So now what?**

The Talos blog has a full rundown of the Cisco Secure detection capabilities in place to prevent the execution of this malware and alert users if it’s on their network.

**Top security headlines of the week**

While the proposed “RESTRICT Act” in U.S. Congress is widely known as the “TikTok ban,” it would **actually do much more than restrict the popular social media app in the U.S.** Critics of the bill say, if passed, it would give the Executive Branch greater control over the online marketplace and potentially restrict the sale of other software that could be viewed as potentially dangerous like VPNs that consumers use to encrypt and route their traffic. The White House is in favor of the bill, saying that it would protect American national security by restricting data collection from foreign governments. However, the language of the bill only says it would restrict software from countries identified as a “foreign adversary,” which currently includes China, Cuba, Iran, North Korea, Russia and Venezuela. (Vice, The Electronic Frontier Foundation)

International law enforcement agencies **seized several domain names tied to Genesis Market,** a popular cybercrime store, on Wednesday, while also arresting some of its alleged administrators. Genesis Market was known to sell access to stolen passwords and other data. Customers who purchased this information could load the victim’s authentication cookies into their web browser to access their online accounts without needing a password and sometimes bypass multi-factor authentication. Arrest warrants were reportedly out for several individuals involved in the marketplace in the U.S., Canada and Europe. During a series of raids this week, the UK's National Crime Agency (NCA) arrested 24 people who are suspected users of the site. (BBC News, Krebs on Security)

**Online alcohol recovery startups Monument and Tempest were mistakenly sharing users’ health information** and data with third-party advertisers for years without their consent, according to a data breach notification filed with California’s attorney general. Monument, which acquired Tempest last year, assists customers in dealing with and recovering from alcohol abuse, including offering online counseling, an anonymous forum and the ability to prescribe medication. The company said in the filing that they were mistakenly sharing information through third-party ad tracking systems such as those from Google and Meta. The data shared with advertisers included patients’ photos, the answers to online questionnaires about their health and alcohol use, personally identifiable information (PII) and their insurance providers. (TechCrunch, The Verge)

**Can’t get enough Talos?**

*   Talos Takes Ep. #133: The defensive and offensive implications of ChatGPT and AI
*   Vulnerability Spotlight: Buffer overflow vulnerability in ADMesh library
*   Threat Roundup for March 24 - 31
*   Vulnerability Spotlight: Vulnerability in ManageEngine OpManager could lead to XXE attack
*   Typhon Reborn Stealer Malware Resurfaces with Advanced Evasion Techniques

**Upcoming events where you can find Talos**

**RSA** **(April 24 - 27)**

San Francisco, CA

**Cisco Live U.S.** **(June 4 - 8)**

Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** e248b01e3ccde76b4d8e8077d4fcb4d0b70e5200bf4e738b45a0bd28fbc2cae6  
**MD5:** 1e2a99ae43d6365148d412b5dfee0e1c  
**Typical Filename:** PDFpower.exe  
**Claimed Product:** PdfPower  
**Detection Name:** Win32.Adware.Generic.SSO.TALOS

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** de3908adc431d1e66656199063acbb83f2b2bfc4d21f02076fe381bb97afc423  
**MD5:** 954a5fc664c23a7a97e09850accdfe8e  
**Typical Filename:** teams15.exe  
**Claimed Product:** teams15  
**Detection Name:** Gen:Variant.MSILHeracles.59885

**SHA 256:** c74e7421f2021b46ee256e5f02d94c1bce15da107c8c997c611055412de1ac1  
**MD5:** 2d16d0af6183803a79d9ef5c744286c4  
**Typical Filename:** nano\_download.php  
**Claimed Product:** Web Companion Installer  
**Detection Name:** W32.1C74E7421F-100.SBX.VIOC

Threat Source newsletter (April 6, 2023) — Another friendly reminder about supply chain attacks

Ichitaro uses the ATOK input method (IME) and uses the proprietary .jtd file extension. It’s the second most-popular word processing system in Japan behind only Microsoft word.

Wednesday, April 5, 2023 11:04

_A Cisco Talos researcher discovered these vulnerabilities._

Cisco Talos recently discovered four vulnerabilities in Ichitaro, a popular word processing software in Japan produced by JustSystems that could lead to arbitrary code execution.

Ichitaro uses the ATOK input method (IME) and uses the proprietary .jtd file extension. It’s the second most-popular word processing system in Japan behind only Microsoft word.

Talos discovered four vulnerabilities that could allow an attacker to gain the ability to execute arbitrary code on the targeted machine. TALOS-2022-1673 (CVE-2022-43664) can trigger the reuse of freed memory by the attacker, which can lead to further memory corruption and potentially result in arbitrary code execution after the target opens an attacker-created malicious file. TALOS-2023-1722 (CVE-2023-22660) has a similar effect, though in this case, it’s caused by a buffer overflow condition.

There are two other memory corruption vulnerabilities that can also be triggered if the target opens a specially crafted, malicious document — TALOS-2022-1687 (CVE-2023-22291) and TALOS-2022-1684 (CVE-2022-45115) — which could also lead to code execution.

Cisco Talos worked with JustSystems to ensure these vulnerabilities are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: Ichitaro 2022, version 1.0.1.57600. Talos tested and confirmed this version of the word processor could be exploited by these vulnerabilities.

The following Snort rules will detect exploitation attempts against this vulnerability:  
61011, 61012, 61091, 61092, 61163, 61164, 61393 and 61394. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.

Vulnerability Spotlight: Vulnerabilities in popular Japanese word processing software could lead to arbitrary code execution, other issues

The stealer is for sale on dark web forums for $59 a month, or $540 for a lifetime subscription, which is relatively inexpensive compared to other infostealers.

*   The developer of the Typhon Reborn information stealer released version 2 (V2) in January, which included significant updates to its codebase and improved capabilities.
*   Most notably, the new version features additional anti-analysis and anti-virtual machine (VM) capabilities to evade detection and make analysis more difficult.
*   We assess Typhon Reborn 2 will likely appear in future attacks, as we have already observed samples in the wild and multiple purchases of the malware.
*   The stealer is currently offered on underground forums for $59 per month but also offers a lifetime subscription for $540, which is inexpensive compared to competing infostealers.
*   The stealer can harvest and exfiltrate sensitive information and uses the Telegram API to send stolen data to attackers.

**Typhon Reborn V2 release  
**

Typhon is an information stealer first publicly reported in mid-2022. It steals sensitive information, such as cryptocurrency wallet data, from a variety of applications and uses a “file grabber” to collect a predefined list of file types, then exfiltrates them via Telegram. Since its initial arrival, it has undergone continuous development, with Typhon Reborn being released just several months later in late 2022. The malware’s developer announced the release of Typhon Reborn V2 on Jan. 31, 2023 on the popular Russian language dark web forum XSS. Samples uploaded to public repositories indicate that the new version of Typhon Reborn has been in the wild since December 2022.

_Post announcing Typhon Reborn V2 release._

In the latest version, the malware developer claimed to have refactored the codebase and significantly improved existing capabilities present within the malware, which Cisco Talos independently confirmed. It is available for $59 per month or a lifetime subscription for $540, which is inexpensive compared to competing infostealers. Analysis of the cryptocurrency wallet from which the attacker collects payments suggests that multiple adversaries have purchased access to the stealer, making it likely that it will be used in attacks moving forward.

**Notable changes in Typhon Reborn V2**

The code in Version 2 of Typhon Reborn was heavily modified compared to Version 1, based on our analysis.

_Code changes between Typhon Reborn V1 and V2._

For example, Version 2 has significantly more anti-analysis and anti-virtualization capabilities, as evidenced by comparing the anti-analysis routines present in each version. For example, the developer made several changes to the logic that prevents the malware from infecting systems that match predefined criteria. That includes heavily expanding this list of criteria to include present usernames, CPUIDs, applications and processes present on the system, debugger/emulation checks, and geolocation data for countries that attackers may wish to avoid.

_Anti-analysis routine comparison between Typhon Reborn versions._

Finally, in Typhon Reborn V2 samples that we analyzed, the developer appeared to have removed the functionality that establishes persistence across reboots. Instead, V2 simply terminates itself after data exfiltration.

**Dissecting Typhon Reborn V2**

In Typhon Reborn V2, the malware complicates analysis via string obfuscation by using Base64 encoding and applying the XOR function to various strings. During execution, the malware decodes the Base64, generating a UTF-8 character-encoded string that is then deobfuscated using an XOR key stored in the malware’s configuration or hard-coded into DecryptString(). The XOR key used is based on the mode passed when the function is called each time. The resulting string is then decoded from Base64 again, creating a plain text string to continue the operation.

_String deobfuscation functionality._

The malware’s operations are determined by a series of parameters stored in the malware’s configuration that dictate what information should be collected, keys used for string deobfuscation and geolocations where the malware should not execute.

_Typhon Reborn V2 configuration parameters._

**Anti-analysis and sandbox evasion**

When Typhon Reborn V2’s main() method is executed, it checks the malware configuration to determine if anti-analysis has been enabled. If it is enabled, the malware will attempt to conduct a series of anti-analysis checks to determine if it is being executed in an analysis or sandbox environment.

_Anti-analysis checks._

If any of the checks fail, the malware will call a SelfRemove() class to self delete, by creating a batch file in the temp directory with the following contents.

    chcp 65001
    TaskKill /F /IM [MALWARE_PID]
    Timeout /T 2 /Nobreak
    

This batch file is then executed via the Windows command processor, thus terminating the malware’s execution.

_Self-removal functionality._

The overall execution flow of the various anti-analysis checks is shown below.

_Anti-analysis process flow._

The malware uses Windows Management Instrumentation (WMI) to retrieve information about the Graphics Processing Unit (GPU) on the system.

SELECT * FROM Win32_VideoController

It then checks the returned value to determine if it contains the string vmware svga.

Then, it makes an HTTP request to the following URL to determine if the system is located in a network associated with a hosting provider, colocation facility, or data center environment. The API returns either a “True” or “False” response based on the location of the system which is used to determine the type of environment in which the system is located.

hxxp://ip-api[.]com/line/?fields=hosting

Then, it checks for the presence of the following DLLs associated with common security products that may be installed.

*   SbieDLL.dll (Sandboxie)
*   SxIn.dll (360 Total Security)
*   Sf2.dll (Avast)
*   Snxhk.dll (Avast)
*   cmdvrt32.dll (Comodo Internet Security)

It also retrieves the system manufacturer and model via WMI using the following query:

Select * from Win32_ComputerSystem

The retrieved information is checked to determine if it contains the following hypervisor-related strings.

*   VIRTUAL
*   vmware
*   VirtualBox

The malware also uses WMI to collect information about the system’s video controller.

SELECT * FROM Win32_VideoController

This information is then checked to determine if it contains the strings VMware or VBox.

Next, the malware uses CheckRemoteDebuggerPresent to determine if the process is being debugged.

The malware then obtains the current system time, initiates a short (10ms) sleep, then obtains the system time again. It compares the delta between the two times to what is expected during normal operations to determine if the process is being run in a debugging session.

The command line argument used to initially launch the malware is then obtained to determine if the sample was executed using the file name detonate.exe or if the argument -–detonate was passed when initiating execution.

The malware also checks the Windows Registry (SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall) to determine if any subkeys reference the following common analysis tools:

*   dnSpy
    

*   PDFStreamDumper
    

*   Ghidra
    

*   Wireshark
    

*   Autoruns
    

*   x64dbg
    

*   HashCalc
    

*   Process Hacker
    

  

*   FileInsight
    

*   Process Monitor
    

  

Next, WMI is queried to obtain the ProcessorId (CPUID) for the system using the following query.

Select ProcessorId From Win32_Processor

The CPUID is then checked against the following list of CPUIDs under which the malware will not execute:

*   4AB2DFCCF4
*   BFEBFBFF000906E9
*   078BFBFF000506E3
*   078BFBFF00000F61
*   178BFBFF00830F10
*   0F8BFBFF000306C1

The malware also determines the user account context under which the malware is executing and will terminate if the username matches the following values:

*   IT-ADMIN
    

*   sand box
    

*   Abby
    

*   Paul Jones
    

*   maltest
    

*   WDAGUtilityAccount
    

*   WALKER
    

*   malware
    

*   Frank
    

*   Sandbox
    

*   virus
    

*   fred
    

*   timmy
    

*   John Doe
    

*   JOHN-PC
    

*   tim
    

*   Emily
    

*   Lisa
    

*   vboxuser
    

*   CurrentUser
    

*   John
    

*   sandbox
    

*   test
    

  

*   Peter Wilson
    

*   TVM
    

  

The malware then obtains the list of currently running processes on the system and checks the executable path associated with them against the following list of executable file names associated with common analysis tools.

*   ollydbg.exe
    

*   idaq64.exe
    

*   processhacker.exe
    

*   immunitydebugger.exe
    

*   tcpview.exe
    

*   wireshark.exe
    

*   autoruns.exe
    

*   dumpcap.exe
    

*   de4dot.exe
    

*   hookexplorer.exe
    

*   ilspy.exe
    

*   lordpe.exe
    

*   dnspy.exe
    

*   petools.exe
    

*   autorunsc.exe
    

*   resourcehacker.exe
    

*   filemon.exe
    

*   x32dbg.exe
    

*   procmon.exe
    

*   x64dbg.exe
    

*   regmon.exe
    

*   fiddler.exe
    

*   idaq.exe
    

  

It then attempts to test internet connectivity by making an HTTP request to http://www.google.com.

The malware again obtains the execution environment to determine if its filename matches the following list:

*   detonate
*   virus
*   test
*   malware
*   maltest

Next, the malware checks the Programs subdirectory under the Windows Start Menu for the presence of the following analysis tools:

*   dnspy
    

*   x86dbg
    

*   detect it easy
    

*   ghidra
    

*   die
    

*   ida
    

*   procmon
    

*   fiddler
    

*   process monitor
    

*   scylla
    

*   process hacker
    

*   winhex
    

*   ilspy
    

*   hxd
    

*   x64dbg
    

*   de4dot
    

It then attempts to locate wine_get_unix_file_name to determine if Wine is being used in an analysis environment.

Next, it checks the SYSTEM_CODEINTEGRITY_INFORMATION structure to determine if unsigned or test-signed drivers are allowed on the system (CODEINTEGRITY_OPTION_ENABLED, CODEINTEGRITY_OPTION_TESTSIGN).

The malware also checks the SYSTEM_KERNEL_DEBUGGER_INFORMATION structure to determine if kernel mode debugging is enabled (KernelDebuggerEnabled).

Then, the malware checks various system DLLs for the presence of instructions that may indicate that the environment is instrumented for analysis.

The malware also features two geolocation avoidance mechanisms. The first one allows for the specification of a list of countries in the malware’s config that the attacker does not want to infect systems in. The malware uses the IP-API service to determine where the system is located and compares it against the user-supplied list.

_IP geolocation check._

If the system is located in one of these countries, the malware calls the SelfRemove() functionality previously described.

The malware also contains a RunAntiCIS() feature that specifically avoids infecting systems located in Commonwealth of Independent States (CIS) countries.

_CIS country avoidance._

**System and network data collection**

If the victim’s environment passes all the malware’s anti-analysis checks, Typhon Reborn V2 begins collecting and exfiltrating sensitive information. First, the malware creates a randomly named subdirectory under %LOCALAPPDATA%, then the malware begins generating stealer logs that will ultimately be staged in that subdirectory for exfiltration.

To generate the logs, the malware retrieves survey information about the infected system and writes it to the stealer log. It collects a variety of system information including user data, system data and network information, using various mechanisms such as WMI queries, environment variables, and registry keys. The malware uses api[.]ipify[.]org to obtain the public IP of the infected system. This information is saved in the malware’s working directory (UserData.txt) along with a text file (BuildID.txt) containing the Telegram channel for the malware’s developer. A list of installed software is also generated using WMI and saved (InstalledSoftwares.txt). A list of hard drives present within the system is also saved (Drive Info.txt).

The malware also captures screenshots from infected systems saved in the same directory as the stealer logs.

_Screenshot capture._

The stealer also collects saved Wi-Fi network information and stores it (Wifi Passwords.txt) using the following system commands:

cmd.exe /C  chcp 65001 && netsh wlan show profile | findstr All

cmd.exe /C timeout /t 5 /nobreak > nul && netsh wlan show profile name=<PROFILE_NAME> key=clear | findstr Key

It also attempts to scan for available wireless networks and stores information about them (Available Networks.txt).

cmd.exe /C timeout /t 5 /nobreak > nul && netsh wlan show networks mode=bssid

A list of currently running processes and process executable paths is collected and saved as well (Running Processes.txt).

**Application data collection**

Once basic system information has been collected and saved, the stealer begins iterating through specific applications and collecting data based on the malware’s configuration. The stealer currently supports collecting passwords, tokens, and other sensitive information from the applications shown below.

_Typhon Reborn V2 Application Support._

**Gaming clients**

Typhon Reborn V2 can steal data from additional applications, including various gaming clients. However, this functionality was never actually called from the main() method of the malware in the latest version analyzed.

The malware also contains a FileGrabber() feature that is used to collect and exfiltrate files of interest from victim environments. It iterates through all drives detected on the system and attempts to determine whether any are removable storage devices, network storage locations or optical drives.

_Drive enumeration._

Each drive that meets this criterion has its root directory added to a list of target directories. The malware then iterates through all of the target directories, copying contents that match the parameters in the malware’s configuration to the malware’s working directory.

The two parameters Config.GrabberSize and Config.GrabberFileExtensions defined in the malware’s configuration determine the operation of the file collection capability.

_File grabber configuration parameters._

**Data exfiltration**

Once the stealer has finished collecting information from infected systems, the data is stored in a compressed archive and exfiltrated via HTTPS using the Telegram API. First, the malware sends an overview log containing survey information and basic statistics related to the data collected.

_Stealer log transmission._

Then, the malware sends another Telegram message containing the data being exfiltrated from the infected system.

_Data exfiltration._

Once the data has been successfully transmitted to the attacker, the archive is then deleted from the infected system. The malware then calls SelfRemove.Remove() to terminate execution.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The following Snort SIDs are applicable to this threat: 61532-61533, 300476.

**Orbital Queries**

Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this threat, click here.

**Indicators of Compromise (IOCs)**

IOCs for this research can also be found at our Github repository here

Typhon Reborn V2: Updated stealer features enhanced anti-analysis and evasion capabilities

A specially crafted STL file can lead to a heap buffer overflow.

Monday, April 3, 2023 11:04

_Francesco Benvenuto of Cisco Talos discovered this vulnerability._

Cisco Talos recently discovered an improper array index validation vulnerability in a functionality of the ADMesh library.

ADMesh is a C library used to process 3-D triangular meshes.

Talos found an improper array index validation vulnerability in TALOS-2022-1594 (CVE-2022-38072). A specially crafted STL file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

Cisco Talos worked with ADMesh to ensure that this issue was resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: ADMesh Master Commit 767a105, Slic3r libslic3r Master Commit b1a5500 and ADMesh v0.98.4. Talos tested and confirmed these versions could be exploited by these vulnerabilities.

The following Snort rules will detect exploitation attempts against these vulnerabilities: 60544 and 60545. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Vulnerability Spotlight: Buffer overflow vulnerability in ADMesh library

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 24 and March 31. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for March 24 to March 31

Cisco Talos is tracking and actively responding to a supply chain attack involving the 3CX Desktop Softphone application.
This is a multi-stage attack that involves sideloading DLLs, seven-day sleep routines, and additional payloads dependent on a now-removed GitHub repository for Windows based systems.
MacOS systems used a different infection chain

Thursday, March 30, 2023 18:03

*   Cisco Talos is tracking and actively responding to a supply chain attack involving the 3CX Desktop Softphone application.
*   This is a multi-stage attack that involves sideloading DLLs, seven-day sleep routines, and additional payloads dependent on a now-removed GitHub repository for Windows based systems.
*   MacOS systems used a different infection chain leveraging a hardcoded C2 domain, as opposed to the GitHub repo.
*   This is just the latest supply chain attack threatening users, after the SolarWinds incident in 2020 and the REvil ransomware group exploiting Kaseya VSA in 2021.

**Summary**

Cisco Talos recently became aware of a supply chain attack affecting Windows and MacOS users of the 3CX software-based phone application. This attack leveraged the legitimate update functionality of the 3CX application to deliver a set of malicious payloads to 3CX users.

The infection chain consists of several stages and involves sideloading DLLs along with a seven-day sleep cycle before the malware attempts to retrieve additional malicious artifacts from a now-removed GitHub repository for the Windows based infection. The GitHub repository hosted a series of icon files with encrypted data appended to the end of the files. These encrypted strings, once decrypted, contained the C2 domains for additional malicious artifacts.

The MacOS version used a hard coded C2 domain. These second-stage payloads are information stealers that attempt to obtain system information and the latest browsing history records, indicating this information may be used as a filtering mechanism to identify and discard some victims while maintaining unauthorized access to others.

During our investigation we were able to see file activity dating back to February 3, 2023. However, the GitHub repository has been active since December 2022. The full scope of the attack is uncertain at this point. The 3CX website claims to have over 600,000 customers and 12 million daily users. It's unclear how many are users of the 3CX Desktop App versus the web app option that was not affected. 3CX is currently asking users to use the web app while they work to release an update.

**Preparing since February 2022**

Based on Cisco Talos investigation, it appears the infrastructure that supported this attack was being prepared as early as February 2022 when the domains were first registered. A second cluster of activity happened toward the end of 2022 when the GitHub repository was created, along with a few other domains. The sbmsa\[.\]wiki domain was also created on Feb. 9, 2023, which was found to be used by the second stage of the MacOS version.  

The timeline below illustrates these clusters of activity.

Timeline of domain registration activity.

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Talos created the following coverage for this:

Snort SIDs:

Snort 3: 300480,300481

Snort 2: 61550-61553

**Orbital Queries**

Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this threat, Cisco Secure Endpoint customers need to make sure that "%3CX%" is entered into the program field under the "Installed Program Search" for Windows and ".\*3CX.\*" under "Installed Applications Monitoring" for MacOS in Orbital.

Additionally, the users can access the OSQueries directly on GitHub for both Windows and MacOS.

**Indicators of Compromise (IOCs)**

Indicators of compromise (IOCs) associated with ongoing activity can be found here.

Threat Advisory: 3CX Softphone Supply Chain Compromise

XXE attacks allow an adversary to interact with other backend or external systems that OpManager accesses.

Thursday, March 30, 2023 15:03

_Marcin “Icewall” Noga of Cisco Talos discovered this vulnerability._

Cisco Talos recently discovered a vulnerability in ManageEngine OpManager that could lead to an XML external entity (XXE) attack.

OpManager is network monitoring software that allows users to track and manage the performance of connected routers, switches, firewalls, servers, VMs and more. A vulnerability (TALOS-2022-1685/CVE-2022-43473) exists when the user attempts to add a unified computing system (UCS) to the software.

An attacker could exploit this vulnerability by providing a specially crafted, malicious XML file at an exact point during that connection process to allow them to carry out an XXE attack. XXE attacks allow an adversary to interact with other backend or external systems that OpManager accesses.

Cisco Talos worked with the managers of ManageEngine to ensure that this issue is resolved and an update is available for affected users, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update ManageEngine OpManager, version 12.6.168 as soon as possible. Talos tested and confirmed this version of the software could be exploited by this vulnerability.

The following Snort rule will detect exploitation attempts against this vulnerability:  
49864\. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.

Vulnerability Spotlight: Vulnerability in ManageEngine OpManager could lead to XXE attack

Very few of us looking to buy these pieces of equipment are qualified to say if these products are even secure, and those among us who are are probably smart enough to know not to buy these products in the first place.

Thursday, March 30, 2023 14:03

Welcome to this week’s edition of the Threat Source newsletter.

Everyone loves a good video of someone slipping on their icy steps in the winter, captured thanks to their home security camera or smart doorbell. But what about when that camera is just kind of chilling out and not catching the moment your dog takes off after that squirrel?

The world of security cameras and recording devices attached to one’s home is becoming increasingly murky by the day. Law enforcement officials are finding ways to compel the companies that manufacture and manage these devices to turn over homeowners’ footage, even if the homeowner doesn’t consent to it.

And Amazon Ring, the biggest player in this space now, may or may not be the target of a ransomware attack.

So, while consumers might be purchasing these devices to ensure their physical security, the question about if these products are good for online security is a major question mark.

As Talos’ own Joe Marshall wrote in a guest column at Dark Reading this week, “IoT vendors continue to fail us on implementing solid cybersecurity controls.” This even goes for some of the largest tech companies in the world who would conceivably have the most money to invest in securing and testing these devices before they hit the market.

There are tons of budget options on the market that, unless you are an expert vulnerability researcher, are impossible to fully vet. I just went to Amazon’s website this week and searched for “smart doorbell.” Three of the best-selling items on the first page of results use nearly the exact same thumbnail art to advertise the product. Yet when you go to their product pages, each one is listed as being manufactured or sold by a different company.

If you’re merely reading the reviews of these products to figure out what’s right for you, or searching the internet for someone else’s review, they may mention if the resolution quality is up to snuff or if the app works well, but I doubt the reviewer has the time to physically tear apart the device looking for vulnerabilities or combing through the API for security holes. And if we can’t even trust the companies making these devices to differentiate their products based on appearance, there is no way to know how they may be prepared to respond to a data breach or what their stance is on sharing footage with law enforcement.

The same goes for security cameras. On Amazon’s search page for “home security camera,” the top five non-sponsored results are all made by different companies (Ring being one of them) and based on the features they offer, it’s nearly impossible to differentiate them outside of a difference in form factor. Very few of us looking to buy these pieces of equipment are qualified to say if these products are even secure, and those among us who are are probably smart enough to know not to buy these products in the first place.

I certainly wouldn’t stop anyone from buying a home security camera if they truly feel it improves their families’ safety. But I think that, no matter what brand we buy, everyone just needs to assume now that they’re taking a risk with their privacy and online security as a trade-off for catching possible package burglars.

**The one big thing**

Emotet is back from the dead once again. Since returning, Emotet has leveraged several distinct infection chains, indicating that they are modifying their approach based on their perceived success in infecting new systems. The initial emails delivered to victims are consistent with what has been observed from Emotet over the past several years.

Why do I care?

Emotet is arguably the most infamous botnet on the threat landscape, so it’s notable any time it spins back up. This network is known to go through quiet periods and then pop back up, so this isn’t particularly surprising, but it is noteworthy because Emotet’s creators are switching up their tactics by switching to new types of lure documents to evade detection and recent changes Microsoft made to macros to try and stop attackers from using malicious Office attachments.

**So now what?**

Because Emotet has been around for so long now, Cisco Secure and Talos have an exhaustive list of ways to stay protected from Emotet spam. But as a good general reminder, always make sure you triple-check the “From” field in an email to make sure it’s actually from who you think its from. And never open an attachment or click on a link in an email unless you’re sure it’s the correct destination.

**Top security headlines of the week**

**Defenders and detractors of TikTok both seem unmoved** after the popular social media app’s CEO testified in front of a U.S. Congressional panel last week. Lawmakers who are in favor of a blanket ban on the app in the U.S. over data and privacy concerns were unimpressed with the answers the company’s lead provided, while others mocked lawmakers for the types of questions they asked and instead advocated for broader data privacy laws. Republicans in Congress still plan to take up legislation to ban TikTok, with House Speaker Kevin McCarthy tweeting that, “It’s very concerning that the CEO of TikTok can’t be honest and admit what we already know to be true — China has access to TikTok user data.” (Buzzfeed, The Hill, The New Yorker)

**A bug in the popular ChatGPT AI tool exposed other users’ message history** and may have also leaked sensitive information like the payment information and emails of premium users. OpenAI, the company behind ChatGPT, took the tool offline last Tuesday for emergency maintenance after they became aware of the issue. The company confirmed the information was exposed during a nine-hour window on March 20, but it could have been exposed prior to that. The data leak exposes concerns that many users have around using tools like ChatGPT to share sensitive or potentially confidential information. (SecurityWeek, Engadget)

**A data breach at Latitude Financial affects millions of people in New Zealand and Australia,** potentially dating back to 2005. The personal lending company said attackers stole around 7.9 million driver’s license numbers and 53,000 passport numbers. Names, addresses, phone numbers and dates of birth are also among the data stolen. When Latitude first announced the attack on March 16, it estimated that 300,000 customers had been affected, but the number has grown as the investigation continued, though the company stopped the breach prior to the disclosure. The breach has called into question why financial companies retain records for so long after a customer has applied for financing and how that data is stored. (The Guardian, Yahoo Finance)

**Can’t get enough Talos?**

*   Talos Takes Ep. #132: Reflecting on one year of Talos' work in Ukraine
*   Graphic novel: Life inside the Talos Ukraine Task Unit
*   How an incident response retainer can drive proactive security
*   Threat Roundup for March 17 - 24
*   If your Netgear Orbi router isn’t patched, you’ll want to change that pronto

**Upcoming events where you can find Talos**

**RSA** **(April 24 - 27)**

San Francisco, CA

**Cisco Live U.S.** **(June 4 - 8)**

Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** de3908adc431d1e66656199063acbb83f2b2bfc4d21f02076fe381bb97afc423  
**MD5:** 954a5fc664c23a7a97e09850accdfe8e  
**Typical Filename:** teams15.exe  
**Claimed Product:** teams15  
**Detection Name:** Gen:Variant.MSILHeracles.59885

**SHA 256:** c74e7421f2021b46ee256e5f02d94c1bce15da107c8c997c611055412de1ac1  
**MD5:** 2d16d0af6183803a79d9ef5c744286c4  
**Typical Filename:** nano\_download.php  
**Claimed Product:** Web Companion Installer  
**Detection Name:** W32.1C74E7421F-100.SBX.VIOC

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

Threat Source newsletter (March 30, 2023) — It’s impossible to tell if your home security camera or doorbell is truly safe

OpenImageIO is a library that converts, compares and processes various image files. Blender and AliceVision, two often used computer imaging services, utilize the library, among other software offerings.

Thursday, March 30, 2023 12:03

_Lilith >\_> of Cisco Talos discovered these vulnerabilities._

Cisco Talos recently discovered three vulnerabilities in the OpenImageIO image-parsing library that many popular pieces of 3-D rendering software use.

OpenImageIO is a library that converts, compares and processes various image files. Blender and AliceVision, two often used computer imaging services, utilize the library, among other software offerings.

Two of the vulnerabilities — TALOS-2023-1707 (CVE-2023-24473) and TALOS-2023-1708 (CVE-2023-22845) — could lead to the disclosure of sensitive information. An adversary could exploit these vulnerabilities by sending the target a specially crafted, malicious Targa (.tga) file.

TALOS-2023-1709 (CVE-2023-24472) is a denial-of-service vulnerability that is a continuation of TALOS-2022-1653 (CVE-2022-43594 and CVE-2022-43595). Talos first discovered CVE-2022-43595 in December, though it was not fixed in the most recent version of OpenImageIO.

Cisco Talos worked with OpenImageIO to ensure that these issues are resolved and an update is available for affected users, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: OpenImageIO Project, version 2.4.7.1. Talos tested and confirmed this version of the library could be exploited by this vulnerability.

The following Snort rule will detect exploitation attempts against this vulnerability: 61271, 61272, 61384 and 61385. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.